source: support pcap-over-ip

[mmaatuq]

Ticket: #5499

Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.

Contribution style:

• I have read the contributing guide lines at
  https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html

Our Contribution agreements:

• I have signed the Open Information Security Foundation contribution agreement at
  https://suricata.io/about/contribution-agreement/ (note: this is only required once)

Changes (if applicable):

• I have updated the User Guide (in doc/userguide/) to reflect the changes made
• I have updated the JSON schema (in etc/schema.json) to reflect all logging changes
  (including schema descriptions)
• I have created a ticket at
  https://redmine.openinfosecfoundation.org/projects/suricata/issues

Link to ticket: #5499

Describe changes:

• This is an initial version, and it currently follows a logic similar to Zeek Pluging: https://github.com/emnahum/zeek-pcapovertcp-plugin/tree/master
• Supports only pcap format
• I think this feature could be implemented as part of libpcap, I'm not sure though!
• Sanity test was done using polar proxy
• Could be tested with option -R socket_addr e.g. suricata/src/.libs/lt-suricata -c suricata.yaml -R 127.0.0.1:57012

[mmaatuq]

I wanted to draft it due to :

• Pipeline errors are expected.
• Not documented
• Not tests yet
• I want an early feedback on this MR, as I'm not so comfortable with Suricata internals, but tried to follow same logic for other packet acquisition modules.
• Docs here are empty.
• the plan is to refactor and add missing tests/docs while addressing the comments on this MR

but changed it to make it visible for feedback.